03/10/2015

Email Encryption: And now for the whole story

by Neil Farquharson

Thanks to massive media coverage, we’re all well aware of recent data security breaches - Sony, Target, Home Depot, Anthem and more – and you may have noticed a knee jerk reaction from some executives who, once they find out about a breach, talk about moving quickly from insufficient protection to encryption overkill, without regard to how this will affect their business operations.

However I’d like to point out that all of the above breaches refer to hacking attacks on data stored within company networks. That is, breaches that are detectable – at least within a few months! What the media rarely acknowledges however is that email interception is almost never detected and therefore not newsworthy. But because it is not detected does not mean it is not happening. The irony is that your data is more vulnerable in transit, as it passes between end points and servers, than it ever is at rest. Edward Snowden notoriously divulged that the NSA and (the United Kingdom’s) GCHQ routinely act as a man-in-the-middle to intercept emails in transit and then to retransmit these emails with neither the senders nor the recipients ever being the wiser.

The root problem is that SMTP emerged back at the dawn of the Internet. As an Internet standard, SMTP is used by the big players in the email arena allowing email to function seamlessly.

As it relates to email encryption a similar story has emerged as of late. Remember the relatively recent headlines announcing the support of encrypted email as a standard by Yahoo, Google and other big names. These headlines are a good reminder to be careful not to take everything at face value.

These providers have indeed made some improvements to the security of email by using SMTP transmitted over TLS but their implementation does not ensure the confidentiality of the email. In other words they’re relying on a technique sometimes referred to as Opportunistic TLS which means there is no authentication of the intended recipient. It’s important to understand the dangers of that approach.

A data thief can utilize a man in the middle attack to cause the email to be misrouted without detection, causing your data to end up in the wrong hands – and you would never know. Is the email encryption promoted by these vendors actually satisfying security demands? Encryption without authentication creates the perception you are secure when in fact, your data is still vulnerable.

Taking all of this into consideration, the wrong thing to do would be to remove encryption altogether because of its perceived difficulty and cost. So what is the solution? A modern email encryption solution that delivers a simple and secure email encryption experience. Features such as automatic encryption and decryption, between a community of companies, provides businesses and users with a solution that reduces the common pain points. Zix doesn’t just provide the illusion that your data is secured; we ensure your encrypted email is always protected.